Private Back-Office & Private Front-Office

Row Owners would be the secure way to restrict which data a user has access to.

Only if you have a whitelist table restricting who can sign in, or assign Role functionality to a user.

Assigning Row Owners to a table does not make a user private on its own.

You can either build everything into a single app and assign multiple row owners to each table (maybe using Roles for BO employees), or you can have separate FO and BO apps with different row ownership. Maybe no row ownership for BO employees, but use row ownership for FO users.